Ok... I was wondering what the general opinion is here on "notifying" an admin that someone might be using their box to hack (or, in-turn, notifying the kiddie you're "watching"). I know other people have done it and I know that they have suffered some fallout... but either I'm getting old and grumpy or, well... *shrug*

What I am thinking about is an IDS system that, when triggered, connects back to the source IP and sends it a SMB and/or syslog message to (hopefully) let the admins know that something odd is going on... of course, it would have to be somewhat smart in order to try to avoid nasty things like spoofing (like waiting for the TCP handshake to complete before it sends an alert - which means it wouldn't trigger for things like a SYN scan, of course).

So, said script kiddie connects to my box and tries to enumerate the web/ftp/whatever server or honeypot I am running... my box tries to connect back to it and talks to its SMB server, sending a message to the screen or to the syslog server, sending it a log message...

Just wondering what people's opinions would be on something like this these days... or if someone could add to this and improve upon the idea.